Abstract.
In this paper, we first demonstrate that the newly introduced Android RunTime
(ART) in latest Android versions (Android 5.0 or above) exposes a new attack
surface, namely, the "return-to-art" (ret2art) attack. Unlike traditional
return-to-library attacks, the ret2art attack abuses Android framework APIs
(e.g., the API to send SMS) as payloads to conveniently perform malicious
operations. This new attack surface, along with the weakened ASLR implementation
in the Android system, makes the successful exploiting of vulnerable apps much
easier. To mitigate this threat and provide self-protection for Android apps, we
propose a user-level solution called Blender, which is able to self-randomize
address space layout for apps. Specifically, for an app using our system,
Blender randomly rearranges loaded libraries and Android runtime executable code
in the app's process, achieving much higher memory entropy compared with the
vanilla app. Blender requires no changes to the Android framework nor the
underlying Linux kernel, thus is a non-invasive and easy-to-deploy solution. Our
evaluation shows that Blender only incurs around 6MB memory footprint increase
for the app with our system, and does not affect other apps without our system.
It increases 0.3 seconds of app starting delay, and imposes negligible CPU and
battery overheads.

BibTeX Record:

@inproceedings{sun2016blender,
author = {Sun, Mingshen and Lui, John C.S. and Zhou, Yajin},
title = {Blender: Self-randomizing Address Space Layout for Android Apps},
booktitle = {Proceedings of the 19th International Symposium on Research in Attacks, Intrusions and Defenses},
series = {RAID '16},
year = {2016},
}